3
Requirements Need to bring a new external web server online to host our Internet web site (www.gd-ais.com) Windows 2000, IIS 5.0, ColdFusion (application server) No sensitive information, no “store front” or other web apps to protect. Want protection from: Defacement Use as a jumping-off point to the rest of our network. Serve as an example for future secure web server installations

4
Planning Security concerns should be identified and planned for from the very beginning. It is much harder and more error-prone to “add security later.” Reference: Develop a computer deployment plan that includes security issues. http://www.cert.org/security-improvement/practices/p065.html

5
Planning Examples of things to consider: Purpose(s) of the server Security requirements Internet service(s) needed (e.g., http, ftp) Categories of users, their privileges, and how they will be authenticated. Patching, backup, and virus detection procedures

7
Windows and IIS Installation Install only necessary Windows and IIS components. Install all patches and updates. Run HotFix Checker, MBSA. Document and baseline current configuration. Note that W2k3 has alleviated the need for some of this. References: Microsoft documentation, TechNet, Knowledge Base articles.

8
Windows and IIS Hardening This definitely consumed the most time (in terms of research, implementation, and testing). Just because Windows and IIS have been minimally installed, updated, and patched, it does not mean your server and site are secure!

13
ColdFusion installation and hardening (This applies to any third-party application server server) Research the product and its vulnerabilities Be aware of what the installer is doing Install latest updates and patches Protect against unknown vulnerabilities by following good security practices (e.g., least privilege, remove/disable unnecessary features, change default values) Test, document, and baseline!